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1. (U//FOUO) Overview 

(U//FOUO) This specification exists to provide a common interface while preventing the use of other, 
more sensitive, execution specifications in persistence scenarios. It is not expected that this will be the 
only persistence interoperability mechanism implemented by the Sponsor, instead this specification 
provides a default. 

(U//FOUO) Persistence modules consist of a Loader which utilizes a persistence technique (either hard 
or soft) and a payload to launch after a reboot or other execution ending event. Both pieces are exposed 
and vulnerable to hostile scrutiny and so must be simple, lack any definite attribution indicators, and 
easy to replace. 

(U//FOUO) Payload modules are Windows DLLs with at least one entry point defined, DllMain. 

2. (U//FOUO) Loading and Invocation 

1. (U//FOUO) The Persistence Loader gains execution through its persistence technique and causes 
the payload to be loaded into an appropriate process via LoadLibrary or equivalent 
technique. 

a. (U//FOUO) The Loader should apply the default memory page permissions for a 

module's sections (i.e., as would be set by LoadLibrary). This prevents a single large 
chunk of PAGE_EXECUTE_READWRITE memory which could easily be found by memory 
forensics. 

2. (U//FOUO) From DllMain the payload spawns a new thread to execute its main code. 
DllMain otherwise behaves as per the MSDN documentation, to include return values. This is 
done to comply with the MSDN documentation of DllMain's execution environment. 

3. (U//FOUO) If possible the Loader responds to DllMain's exit status as per the MSDN 
documentation. If the payload is to be unloaded then the memory the payload occupied is 
zeroed afterwards. 

a. (U//FOUO) Not all persistence techniques permit the Loader to collect this exit status. If 
a particular technique does not make this easy then the Loader may ignore this return 
value and so leak it. Because this leak occurs approximately once per boot this is 
acceptable. 


3. (U//FOUO) Arguments 

(U//FOUO) If a payload expects arguments then it must define an expected environment variable name 
in its documentation. Prior to calling DllMain the Loader will set this environment variable to a null 
terminated string (wchar_t) representation of the command line arguments. This representation will 
not include an argv [ 0 ] placeholder. For example, a payload that reads input from one parameter 
named file and writes output to a second parameter specified file might define WINDBG_LOG to be its 
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environment variable and so would be invoked by the loader with an environment including 
WINDBG_LOG="c:\fileone.txt c:\filetwo.log". 

(U//FOUO) The user is responsible for conveying both the expected variable name and the command 
line arguments to the Loader's configuration component prior to deployment. 

(U//FOUO) Because few tools require this behavior it is optional for payloads. Loaders must support 
executing payloads without arguments without creating a dummy environment variable. In all cases a 
payload requiring arguments must support some reasonable behavior when invoked without expected 
arguments (e.g, quitting gracefully). 


4. (U//FOUO) Structured Exception Handling 

(U//FOUO) Loaders will not provide fix ups to allow payloads to use Structured Exception Handling 
(SEH). If a payload wishes to use SEH it must perform the fix ups itself. 

5. (U//FOUO) Uninstallation 

(U//FOUO) This specification explicitly does not define a mechanism for the payload to communicate to 
the loader that it should be removed. This is because persistence techniques vary so widely that a single 
standard could not reasonably accommodate all of the possible cases. The only requirement that this 
specification applies is that loaders must provide some mechanism for a user to de-persist a given 
payload. 
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(U//FOUO) Appendix A: Version History 

(U//FOUO) Version 1: Initial publication 
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